Scam alert – I’ve got your password

In the past few months, there has been a wave of messages where spammers include a password or a part of it that might have been used in the past for some services or is even still a valid one. The message also claims that they have placed a virus on your computer and have used your webcam to capture pictures or videos of you, while watching websites with adult content. Moreover, the spammers are asking for a ransom through a bitcoin or some other cryptocurrency payment; otherwise, these files would be sent to various names of your contact list.

No matter how stressful or believable such a message seems – you should not panic. The fact that they have quoted a password you might have used doesn’t make such blackmailing attempts less fake. In fact, there are several things that just don’t hold water in these messages.

You should not be worried, since there aren’t any personal details in the message. There aren’t any attached screenshots, pictures or videos of you they claim to have captured. There are different variations of the content, but all of them are essentially the same – empty threats. Here is the most recent version of the scam:

Hello,I am a spyware software developer. Your account has been hacked by me in the summer of 2018.I understand that it is hard to believe, but here is my evidence (I sent you this email from your account).The hacking was carried out using a hardware vulnerability through which you went online (Cisco router, vulnerability CVE-2018-0296).I went around the security system in the router, installed an exploit there. When you went online, my exploit downloaded my malicious code (rootkit) to your device. This is driver software, I constantly updated it, so your antivirus is silent all time.Since then I have been following you (I can connect to your device via the VNC protocol). That is, I can see absolutely everything that you do, view and download your files and any data to yourself. I also have access to the camera on your device, and I periodically take photos and videos with you.At the moment, I have harvested a solid dirt... on you... I saved all your email and chats from your messangers. I also saved the entire history of the sites you visit.I note that it is useless to change the passwords. My malware update passwords from your accounts every times.I know what you like hard funs (adult sites). Oh, yes .. I'm know your secret life, which you are hiding from everyone. Oh my God, what are your like... I saw THIS ... Oh, you dirty naughty person ... 🙂I took photos and videos of your most passionate funs with adult content, and synchronized them in real time with the image of your camera. Believe it turned out very high quality!So, to the business! I'm sure you don't want to show these files and visiting history to all your contacts.Transfer $998 to my Bitcoin cryptocurrency wallet: 1JwRp2J8bQcoG8XTUbxQZaEj9QB4RB6zEaMy system automatically recognizes the translation. As soon as the specified amount is received, all your data will be destroyed from my server, and the rootkit will be automatically removed from your system. Do not worry, I really will delete everything, since I am 'working' with many people who have fallen into your position. You will only have to inform your provider about the vulnerabilities in the router so that other hackers will not use it.Since opening this letter you have 48 hours. If funds not will be received, after the specified time has elapsed, the disk of your device will be formatted, and from my server will automatically send email and sms to all your contacts with compromising material.I advise you to remain prudent and not engage in nonsense (all files on my server).Good luck!

The messages are based on templates with slight modifications to the content. The main purpose, however, is still the same – trying to blackmail you. Here is what the template from September looks like:

Most of these messages come from various botnets which are, basically, compromised individual accounts controlled by the spammers. There have been reports of messages coming from compromised servers deliberately used for such purposes – scam, blackmailing and spreading malware.

Regarding the passwords which are quoted in these “sextortion” attempts

There is a high possibility that your password has been obtained from some of the leaked databases around the web. There are many cases of data breaches and leaked information, such as usernames and passwords. Such cases include big names like Adobe which were hacked in October 2013 and 153 million accounts were breached. In May 2016, LinkedIn had 164 million email addresses and passwords exposed. Dropbox has also underwent through a data breach in 2012 and more than 60 million accounts were subsequently traded online.

As a precaution, we recommend that youchange your mailbox password. Since the same password might have been used at some compromised website, using it for another service is a security problem.

Re-using your passwords for multiple services should be avoided. Every single password you have should be unique. Using a password manager is also a good choice. Some of them provide even a feature to create an encrypted backup of your locally saved passwords.

Do not send any money to the hacker.Simply ignore and delete the message. You can also inform your colleagues to do the same if they receive such a scam message.

Our anti-spam mechanisms are ready to block such messages. SpamAssassin is one of the most effective pieces of software used to fight spam. This tool uses Bayesian classifier too, which means that it is self-learning. It learns from your incoming mail, and it’s tailored to your unique email flow. Once it starts its machine learning from incoming spam keywords and patterns, it will improve over time and filter spam more efficiently.

Sometimes, this message comes from your own domain or even your own mailbox which is even more frustrating. Having an SPF record will greatly reduce the deliverability of such spoofed messages. With this protection, only our server will be listed as an allowed sender for your domain. Adding DKIM protection is also strongly recommended. Basically, with DKIM protection enabled, a digital signature is added to the header of each outgoing message, validating it that it’s legitimate and was indeed sent by you.

If your domain name is using our nameservers, both SPF and DKIM can be easily enabled via the DNS Manager section of our Control Panel.

You can report these blackmailing attempts to the following authorities:

BitCoin Abuse is a public database of bitcoin addresses used by hackers and criminals. Hopefully, researchers and law enforcement could catch the criminals when they perpetrate and spend the money or move them to a bank account, for example.